Friday, December 21, 2012

hexedit is a hexadecimal editor, as it names suggests. You can edit both files or entire drives with it, in exactly the same way. When you start it, it will have 3 different "columns": the location (starting from 00000000), then the hexadecimal values, and in the most right the ASCII values. You can switch with the TAB key between the hex and ASCII representation. Moving in the file can be done with the arrow keys.

There are a whole lot of hotkeys you can use for navigating and editing, which I don't want to cover here, you can find all in the official site, or in the manual of the application. Just a few common ones:

Sunday, December 9, 2012

recoverjpeg is a tool for recovering deleted jpeg files from a drive. It's very powerful, I managed to recover JPEG even after formatting and writing on the pendrive. It's pair is the recovermov tool, which can restore mov files.

Friday, February 17, 2012

hexinject is capable to inject any packet to the network, which we construct on our own in hex. The tool doesn't do any verification, so it will send even a sentence like 'jaj de finom ez a leves' (this soup is really tasty - in Hungarian). Thus if we screw up the various protocols' structure another software won't be able to understand it. It has a sniffing mode, where we can listen to the network traffic. It's quite hard to use on its own, but using pipes or scripts it can be really useful.

It has 2 main modes: command line and GUI based, for using the first one, we need to dig a lot in its manual in order to do something, and the graphical interface is said to be only in beta. In reality both modes has a few bugs. Unfortunately I can't do examples, cause I don't have a switch to test with.

Starting GUI mode:

yersinia -G

We can start an attack at the "launch attack" menu, and stop in the "list attacks" menu.

Wednesday, February 15, 2012

ettercap is a tool for doing LAN based MitM attacks, which based on ARP spoofing. After it succeeded to step in the traffic flow path, we can do several things with it, for example:

- data modification

- extracting passwords

All of these are accomplished by plug ins.

In order to get ARP spoofing work properly we need to turn on IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Ettercap is already installed in the 64bit version, in the 32 bit version we need to install it:

apt-get install ettercap

We can use the tool in 3 modes: text, cursor, graphical:

ettercap -T

ettercap -C

ettercap -G

I will use the graphical.

Once started, choose the Sniff -> unified sniffing menu, and make a device discovery, which will send an ARP message to all IPs in the subnet. We can load the devices from a file.

Then add the two devices, which you want to sniff to the target list. I used the default gateway and my laptops IP here.

Then load the plugin you want to use.

With choosing MiTM -> Arp spoofingot we can perform the attack, and now we are in the traffic's path between the two machines. At the Start -> Start sniffing menu we can actually activate the attack. For the DNS spoofing we can set the fake domain - IP pairs in the following config file:

/usr/share/ettercap/ether.dns

If all goes well, we can redirect the computer's traffic to a custom target:

The ettercap log:

Stopping can be done in the Mitm -> Stop mitm attack menu.

Protection:

1. Basically we need to protect against ARP spoofing, which is the same what I described at the arpspoof tool.

2. Don't use DNS - this can be realistic in some cases

3. Use IDS / IPS on the LAN - this is not so common, and not too effective against such attacks like this

4. Use DNSSEC - DNS signed with a certificate, this one also not widely used

Monday, February 13, 2012

We can start the tool simple from the terminal. I don't want to go into the details how arpspoof works, there are tons of writing about that on the Internet. In short, we can become a man in the middle between two hosts on a LAN, with overwriting their ARP table with a false entry, which points to us, instead of the real address - this can be done with ARP.

Before we start it, we need to tun on IP forwarfing on Linux:

root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward

Usage:

arpspoof [-i interface] [-t target] host

where

target - the hosts, whos traffic we want to sniff

host - The host we want to personate

Thus we need to run this from two windows, because running it for a single host we will see only one part of the traffic. We need to personate two hosts.

Most modern switches already have a service, which tracks what MAC address is used on a port, and it allows only valid ARP traffic, which means that only those ARP packets will be allowed, which contains the MAC address of the host on that port. Cisco and Juniper calls it "Dynamic Arp Inspection (DAI)". More information:

Sunday, February 12, 2012

This tool can also identify webservers with cheking fingerprints. It compares the gathered data with its fingerprint database, and assigns a probability to the server type, and it lists them in descending order. The app has a GUI version as well.

Usage of the command line version:Folder:/pentest/enumeration/www/httprint/linux#

The fake_router6 tool sends RA (router advertisement) packets to the network with highest priority, thus claiming itself a router. It can achieve two things this way:1. Set the machine as the default gateway, potentially allowing us to be MitM2. If we give a non-existent link-local address, then it will be a DoS attack, as hosts will send the packets to a black hole3. If we don't forward anything, only receive the packets as a DG, that is also a DoS

Simple usage:

fake_router6 interface address-prefix/prefix-length

eg.:

fake_router6 eth0 3003::1/64

After we start to advertise ourselves, the host receive it, and generates an address for itself:

This tool can be considered as a pair of detect-new-ip6. Similarly it listens for ICMPv6 DAD packets on the network, but if it sees one, it will send a response that this IPv6 address already exists, this way we can reach, that no host will be able to connect to the network - DoS attack.

If you are using BT5 64bit version, as myself, it won't work properly, along with detect-new-ipv6. I managed to get it work only if I started Wireshark, and a capture with it. Unfortunately also Wireshark didn't start properly:

Friday, February 10, 2012

The second tool from the package is alive6. This is actually scnas the network for active IPv6 addresses. It uses multiple packets for scnanning:

- ICMPv6- IPv6 packet w/ unknown header- IPv6 packet w/ unknown hop-by-hop options(etc.)we can set this with the "-s" option.We can select from many options but the basic run is quite simple:alive6 [interface]

Thursday, February 9, 2012

The tools found in thc-ipv6 package are located at the /usr/local/bin/ directory on BackTrack 5. The complete program listing and the package itself is available for download from here: http://thc.org/thc-ipv6/

The first tool I check is the "detect-new-ip6" tool. This is essentially detects the new hosts, which are connected to the network and continuously prints them to the screen. This is based on IPv6's DAD (Duplicate Address Detection) function. Each IPv6 host, when it connects to the network sends an ICMPv6 packet to a multicast address associated with its IPv6 address, and waits for a reply, with this verifying whether this address is already used by another device on the network or not. These messages are watched by the tool. The usage is very simple:

I'm starting a series about IPv6, since not much published about it. This is understandable, because it is still not as common, but it will not always be the case. I won't describe the IPv6 protocol, everyone can look after that.

There are not a lot IPv6 testing tools, the most widely used is the thc-ipv6 package, which contains a lot of different utilities. The goal is to go through them one by one. But before proceeding, let's look at how to ping IPv6, because the ping command does not work. What we need is a "ping6". Use it the same way as ping.

Wednesday, January 18, 2012

amap is good for detecting applications / services on a given port. We can reveal the app name and even its version number. It works by sending a trigger message to the port, and compares it's database with the response.

The location of the amap trigger files and response database in BackTrack5:/usr/local/etc/appdefs.trig/usr/local/etc/appdefs.resp

root@bt:~# amap -bq 192.168.1.11 21 80 <- scanning port 21, 80, prints banner, but if a port is closed it doesn't give any information about that. If we want to scan multiple ports we need to list them with a space delimiter.

Monday, January 16, 2012

1) Make a new VirtualPC, select Ubuntu 64bit version, and set the other parameters (RAM, HDD - min 8GB, network)2) Select the downloaded ISO file into the CD drive.3) Boot Backtrack from CD4) Start the GUI (startx)5) Click the install.sh icon on the desktop6) Follow the installation wizard (Step 7) - at 99% it will linger for a while, but it does not freeze, so wait patiently7) Reboot the system, and if you want, remove the CD8) Login (root / toor is the default)9) run "fix-splash" script10) Start the GUI (startx)11) Delete the install.sh icon12) If you want, you can install the VirtualBox apps